Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of: receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed; determining if the packet counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the packet counter has exceeded the threshold value.
2. A method as recited in claim 1 , further comprising the step of: caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address.
3. A method as recited in claim 1 , wherein: the incrementing step is not performed if a second packet of the flow in which an ACK bit of the TCP header is set is received before the specified first time has elapsed.
4. A method as recited in claim 1 , further comprising the step of: expiring the flow from a network flow data cache when the first time has elapsed.
5. A method as recited in claim 1 , further comprising the steps of: receiving a second packet of the flow in which a RST bit of the TCP header is set; determining a time difference between when the first packet was received and when the second packet was received; incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value; determining if the flow counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the flow counter has exceeded the threshold value.
6. A method as recited in claim 5 , further comprising the steps of: counting a number of packets received in the flow between the first packet and the second packet; determining whether the number of packets is less than a specified minimum threshold value; incrementing the flow counter if the number of packets is less than the threshold value.
7. A method as recited in claim 6 , further comprising the step of: caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
8. A method as recited in claim 6 , further comprising the step of: expiring the flow from a network flow data cache if the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
9. A method as recited in claim 5 , wherein the message further comprises: a source address, source port, protocol, destination port, and destination address of the flow; the flow counter; and the time difference.
10. A method as recited in claim 5 , further comprising the step of: caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
11. A method as recited in claim 5 , further comprising the step of: expiring the flow from a network flow data cache when a second time that is equal to the greater of the first time and the global connection uptime value has elapsed.
12. A method as recited in claim 5 , further comprising the step of: expiring the flow from a network flow data cache if the time difference is less than the specified global connection uptime value.
13. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of: receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; receiving a second packet of the flow in which a RST bit of the TCP header is set; determining a time difference between when the first packet was received and when the second packet was received; incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value; determining if the flow counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the flow counter has exceeded the threshold value.
14. A method as recited in claim 13 , further comprising the steps of: counting a number of packets received in the flow between the first packet and the second packet; determining whether the number of packets is less than a specified minimum threshold value; incrementing the flow counter if the number of packets is less than the threshold value.
15. A method as recited in claim 14 , further comprising the step of: caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
16. A method as recited in claim 14 , further comprising the step of: expiring the flow from a network flow data cache the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
17. A method as recited in claim 13 , wherein the message further comprises: a source address, source port, protocol, destination port, and destination address of the flow; the flow counter; and the time difference.
18. A method as recited in claim 13 , further comprising the step of: caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
19. A method as recited in claim 13 , further comprising the step of: expiring the flow from a network flow data cache if the time difference is less than the specified global connection uptime value.
20. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of: receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; incrementing a packet counter stored at the router and associated with a destination address of the flow if a specified first time has elapsed; determining if the packet counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the packet counter has exceeded the threshold value.
21. A method as recited in claim 20 , further comprising the step of: caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address.
22. A method as recited in claim 20 , wherein: the incrementing step is not performed if a second packet of the flow in which an ACK bit of the TCP header is set is received before the specified first time has elapsed.
23. A method as recited in claim 20 , further comprising the step of: expiring the flow from a NetFlow cache stored at the router when the first time has elapsed.
24. A method as recited in claim 20 , further comprising the steps of: receiving, at the router, a second packet of the flow in which a RST bit of the TCP header is set; determining a time difference between when the first packet was received and when the second packet was received; incrementing a flow counter stored at the router and associated with the destination address of the flow if the time difference is less than a specified global connection uptime value; determining if the flow counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the flow counter has exceeded the threshold value.
25. A method as recited in claim 24 , further comprising the steps of: counting a number of packets received at the router in the flow between the first packet and the second packet; determining whether the number of packets is less than a specified minimum threshold value; incrementing the flow counter if the number of packets is less than the threshold value.
26. A method as recited in claim 25 , further comprising the step of: caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
27. A method as recited in claim 25 , further comprising the step of: expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
28. A method as recited in claim 27 , further comprising the step of: expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
29. A method as recited in claim 24 , wherein the message further comprises: a source address, source port, protocol, destination port, and destination address of the flow, wherein the source address and the destination address are Internet Protocol (IP) addresses; the flow counter; and the time difference.
30. A method as recited in claim 24 , further comprising the step of: caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
31. A method as recited in claim 24 , further comprising the step of: expiring the flow from a NetFlow cache stored at the router when a second time that is equal to the greater of the first time and the global connection uptime value has elapsed.
32. A method as recited in claim 24 , further comprising the step of: expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value.
33. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of: receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; receiving, at the router, a second packet of the flow in which a RST bit of the TCP header is set; determining a time difference between when the first packet was received and when the second packet was received; incrementing a flow counter stored at the router and associated with the destination address of the flow if the time difference is less than a specified global connection uptime value; determining if the flow counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the flow counter has exceeded the threshold value.
34. A method as recited in claim 32 , further comprising the steps of: counting a number of packets received at the router in the flow between the first packet and the second packet; determining whether the number of packets is less than a specified minimum threshold value; incrementing the flow counter if the number of packets is less than the threshold value.
35. A method as recited in claim 33 , wherein the message further comprises: a source address, source port, protocol, destination port, and destination address of the flow, wherein the source address and the destination address are Internet Protocol (IP) addresses; the flow counter; and the time difference.
36. A method as recited in claim 33 , further comprising the step of: caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
37. A method as recited in claim 34 , further comprising the step of: caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
38. A method as recited in claim 33 , further comprising the step of: expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value.
Unknown
September 4, 2007
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.